fail2ban and waf

Question

Hi, 
 We migrated some websites from direct internet access, to a WAF-style config, with the SSL and the external IP/DNS ending on sophos XG. This immediately proved to have a negative effect on scripts (fail2ban and some others) that we use to block IP addresses. We considered using X-Forwarded-For to block the originating IP, but of course it has no effect under WAF. ;-) 
 Anyway: The question: we're looking for an easy (XG API) way, to make (things like) fail2ban work with websites in the XG WAF. Because currently, on one side XG WAF adds security, but it takes it away on the other side. :-) 
 So I hope someone has to share some XG API scripts he or she is using to upload IP's to be blocked/unblocked to the XG? 
 Anyone with samples? 
 (not sure i posted this in the right category...)

mouk · Accepted Answer

ok, I have updated the code and templates here ( https://github.com/kkplein/xg_fail2ban ) and everything seems to be working now. (from my testing anyway....) 
 To ban hosts on XG, via the API, from an internal host "webserver" with API access, simply run on the webserver: 
 xg_fail2ban ban 1.2.3.4 
 This will create on XG an IPv4 host object (named "fail2ban-webserver-1.2.3.4") and a firewall rule with the same name, that would drop traffic coming from 1.2.3.4 
 To release the ban, run on the webserver: 
 xg_fail2ban unban 1.2.3.4 
 This will delete on XG the firewall rule, and then also the host object, so everything is back to initial state. 
 What remains to be done: 
 - hook-up the script to fail2ban 
 Suggestions, or remarks... MORE than welcome!